topic As you mentioned "hair in Network Security

Same VLAN Traffic Blocking

shinumathew123 — Tue, 12 Mar 2019 06:46:01 GMT

Hi Friends,

I have Cisco ASA 5545-x firewall.I have configured all the VLAN's in firewall.When We are trying connect the same VLAN server(any tcp or udp ports )the traffic coming to firewall and getting block.I have already enabled same-security infra-interface

Please help me to resolve this issue.

Regards,

Mathew

Hi, Can you explain the

Rishabh Seth — Mon, 19 Oct 2015 07:34:48 GMT

Hi,

Can you explain the network setup and provide details about the required traffic flow in your network.

Also let us know if the machine from where you are trying to connect to the server are in the same vlan or different?

Share your findings,

Thanks,

R.Seth

HI Seth,Yes .The servers are

shinumathew123 — Mon, 19 Oct 2015 08:07:17 GMT

HI Seth,

Yes .The servers are in same vlan.

1. Created all the vlans in the firewall

2. Created sub-interfaces

3. Servers GW is sub interface ip address

Server A(10.10.10.100) trying to connect Server B(10.10.10.101)

Attached the diagram for better understanding.I have already enabled same-security infra-interface.

Regards,

Mathew

Hi Mathew, I understand that

Rishabh Seth — Mon, 19 Oct 2015 08:14:08 GMT

Hi Mathew,

I understand that the servers are in same VLAN and you have permitted intra-interface traffic.

But the client are also in the same vlan?

>> If you are trying to test connectivity between serverA and serverB then, the ASA will not come into picture as the two servers are in the same subnet so they will communicate directly.

>> If the client is behind a different interface then you should check ACLs and permit traffic.

>> If ASA is doing inter-vlan routing (like router on stick) then enable inter-interface traffic as well.

Let us know if this helps.

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

Hi Seth,Yes.Right. Both are

shinumathew123 — Mon, 19 Oct 2015 08:32:08 GMT

Hi Seth,

Yes.Right. Both are same VLAN.The traffic wont come to the firewall.Its very weird .I am seeing the traffic in the firewall.Is it some thing related to hair pinning. Need to add some NAT here.

I just confused.

Regards,

Matt

As you mentioned "hair

Rishabh Seth — Mon, 19 Oct 2015 08:36:09 GMT

As you mentioned "hair-pinning" so can you explain the required traffic flow in your setup.

Explain with example so that we can easily understand the requirement and help you in implementing it.

Thanks,

R.Seth

One more thing .As you said

shinumathew123 — Mon, 19 Oct 2015 08:41:23 GMT

One more thing .As you said.If both are in same network .Traffic wont go to firewall.I have checked the ARP table in the switch .Their are no ARP entiry.All the ARP entry is in firewall only.

See this video for Hair pinning

https://www.youtube.com/watch?v=wjEfdfI0BqY

Regards,

Matt

Hi Matt, Are you trying to

Rishabh Seth — Mon, 19 Oct 2015 08:50:39 GMT

Hi Matt,

Are you trying to access the server on its public IP or on its private IP?

If its the public IP then the ASA will be processing the traffic otherwise the client will directly contact the server on its private IP.

In case you are using public IP then check your NAT rule on ASA.

Also, you should check arp table on the end clients and not the switch. On switch you can check the mac address table.

Thanks,

R.Seth

Hi Seth,I have already

shinumathew123 — Mon, 19 Oct 2015 08:55:45 GMT

Hi Seth,

I have already explained the traffic flow. Both are in same network servers.I am trying to access internally and both connected in same switch.No other client.

Regards,

Matt

Hi Matt, If you are trying to

Rishabh Seth — Mon, 19 Oct 2015 09:24:47 GMT

Hi Matt,

If you are trying to access server A from server B on its internal IP then you should be able to reach the application without passing trough ASA.

>> Try to check reachability by pinging devices.

>> If you have reachability then check if there is any firewall/ setting that might be blocking the traffic.

>> Also check the arp on the client and server and confirm you see correct MAC-IP mapping.

Hope it helps.

Thanks,

R.Seth

Yes.The funny part is the

shinumathew123 — Mon, 19 Oct 2015 09:37:28 GMT

Yes.The funny part is the first ping got filtered and reaching that packets to firewall.Rest of the packets are passing and if I allow the ports in the firewall it works.But Why the packets are coming to firewall.thats my concern.

Regards,

Matt

Do you have any static NAT

Rishabh Seth — Mon, 19 Oct 2015 09:54:56 GMT

Do you have any static NAT configured on ASA for the internal subnet IP?

If yes then try to edit the NAT and apply no-proxy-arp in that NAT rule and check if it helps.

Thanks,

R.Seth

No.I do not have any static

shinumathew123 — Mon, 19 Oct 2015 15:52:20 GMT

No.I do not have any static NAT configured

Are you using IP address /

Rishabh Seth — Mon, 19 Oct 2015 17:30:25 GMT

Are you using IP address / domain to access the web server?

If it is domain name, check the DNS resolution, is it public IP or private IP.

As you have described the setup, the traffic should not come to ASA unless you are using Public IP.

Thanks,

R.Seth

No .Its application servers.

shinumathew123 — Mon, 19 Oct 2015 17:44:31 GMT

No .Its application servers. There is no public ip address in picture.